While HIPAA’s recently enhanced penalty provisions and newly enacted security breach notification requirements have each received a significant amount of attention, the connection between them and its significant implications for employers and healthcare providers subject to HIPAA have not. Most significantly, because of the enhanced penalties, it is critical that covered entities conduct a careful and documented risk assessment before deciding not to provide notice of a security incident.